HIPAA Subcontractor Extension To Lead To More Accountability: Security Experts

Pages

The U.S. Department of Health and Human Services (HHS) has issued a major change to the Health Insurance Portability and Accountability Act of 1996, finalizing long-awaited modifications that extend the privacy rules to subcontractors and new language that experts say could make determining a breach easier for organizations.

The HIPAA modifications were introduced last week, finalizing proposed language changes but also adding changes that HHS says expands the requirements to business associates of healthcare providers and any entity with which they subcontract. HIPAA now covers the processors of health insurance plans and other service providers that handle personal healthcare information, such as contractors and subcontractors.

Up until now the focus has been on healthcare organizations themselves, said Kate Borten, president of The Marblehead Group, a consultancy that specializes in healthcare security. The new rule closes a serious gap in coverage, Borten said, now requiring each link in the contract and subcontract chain to be responsible for the next link.

"Finally these regulations mean that the entire chain of subcontractors is now directly liable to this federal agency and federal enforcement," Borten said. "There are so many third-party niche services provided across the entire spectrum of the healthcare delivery and the payment system, and they are frequently subcontracted multiple times."

The final rule states that healthcare organizations must ensure that business associates safeguard "electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities." HIPAA is extended to all Health Information Exchange Organizations as well as personal health record vendors that provide services to healthcare organizations, making them directly liable for violations of the requirements.

Business associates and subcontractors of all sizes have up to one year after the 180-day compliance date of March 26, to come into compliance with the provisions. HHS issued many of the changes as proposed rules in 2010, and security experts and healthcare providers have been waiting for them to be finalized. The final omnibus rule is based on statutory changes under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which provides that the HHS enforces the HIPAA privacy protections.

HHS added a clarification to the final rules that explain a reportable data security breach by adding language to the definition of breach. Under the final rules, "breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised." The rules state that a risk assessment will be necessary to determine the probability that the health information was compromised.

"Breach notification is still challenging for a lot of organizations, but determining if you've had a breach should be slightly easier to do with the new language," Borten said. "Instead of trying to figure out possible harm to individuals, organizations need to focus on whether PHI has been compromised."